Tuesday, April 3, 2007

I'm frequently asked how to easily send email more securely. My default answer in the past was to point the person to PGP or GPG, with the caveat that neither was particularly user friendly and that it would require additional software.

That's not the case these days. Most major email clients include S/MIME support, and getting a certificate is pretty easy - for example, Thawte provides free personal email certificates which are easily imported into your client. From there, you can use the certificate to sign and/or encrypt your email. You'll need the person on the other end to get you their certificate to send encrypted mail to them, but again, modern email clients make this a snap. For most clients, simply have the remote user send you a signed email and click the "import" button when you see the icon for "signed mail" show up.

Pretty easy, right?

What's the difference between signing an email and encrypting it? Signing an email is a way of ensuring that the email is a) one you wrote and b) hasn't been changed along the way. A signed email says "This is from me, and it is exactly the message I wrote to you". An encrypted message is just that - encrypted so that it cannot be read except by people who have the right key to unlock it. Put them both together - a signed and encrypted message, and you have an email that you know came from a given person, you know it hasn't changed in content, and you know nobody else saw it along the way.

The truly paranoid security types would have me note that "you know that it came from a given person" is really "You decided to trust the certificate authority" and that "nobody else saw it" means "you can be reasonably certain that without heroic means using modern technology, nobody else can read the message". Digital signatures are highly dependent on trust models - the signature is only as good as the trust you can place in it.

If you know you want to do S/MIME, an easy way to get a S/MIME certificate from a trusted third party is to use Thawte's free personal email certificate. If you do use Thawte's free email certificate program, you can find notaries in most major metro areas, or you can catch them at your next security conference. A notary will verify that you are who you say you are for Thawte - basically a distributed trust model. If you're far away from any notary, there are alternate ways to get certified, albeit at a cost. If you get your certificate notarized for 50 points or more, you can put your name in your certificate. If you get to 100 points, you can become a notary. After that, the more people you notarize, the more points you will be able to give out - notaries max out at 35 points. In a reasonably sized organization, a handful of notaries can quickly become 35 point notaries and bootstrap new notaries easily.

I should tell you up front that Thawte will want what they call a "National ID number". I counsel people to use their driver's license number rather than their SSN here, as any notary who signs your certificate will need to keep that information on file.

Should your organization use signed or encrypted email? That's a matter of needs, policy, and practical considerations for implementation - and we'll talk about that another day. For now, if your question is "can I, as an individual, easily send signed or encrypted email easily", the answer is yes!